What Is Default Timeout on SSH?
Secure Shell is a method of managing a computer or server remotely that's available to Linux, OS X and Windows. A certain intervals SSH session time out, because an open and unattended SSH session presents a security risk. If you're inactive for a certain amount of time, the connection shuts down and you'll be forced to log in again. This timeout is defined by your system's TCP settings, but can be overriden in the server settings or in the client settings. If you find that your SSH connection times out too often, you can always edit your SSH configuration to give you more or less inactive time.
Your server's timeout defaults to your system's TCP timeout. This is because SSH servers are automatically configured to use TCPKeepalive, which sends out a probe at a preset time when the system is idle to check that the connection is still there. This default varies depending on your system. Some systems use a default as low as five seconds, and some go as high as two hours; the average is typically around three to five minutes. Your SSH connection, if it has not been modified to change the timeout on either the server or client end, will use this timeout. Settings in the server or client will override this timeout.
Server-Wide Timeout Settings
Editing the timeout from the sshd_config file will change the timeout options for every client that logs on to the server. System administrators can access this file at /etc/ssh/sshd_config. If you're using a terminal and are comfortable with a terminal editor, you can edit it entirely in the terminal by entering "sudo nano /etc/ssh/sshd_config". Add the option "ClientAliveInterval" which tells the server to send a packet of data to the client to check for activity. You should consider adding "ClientAliveCountMax" as well; this tells the server how many times it should check without getting a response. Do not put a pound sign in front of these; lines with pound signs in front of them are considered comments and are not active options in the server. For instance, if you wanted to set your ClientAliveInterval to five minutes and your ClientAliveCountMax to two, it could look like this:ClientAliveInterval 300ClientAliveCountMax 2
If you're using a client like Putty, you can change the timeout by clicking the "Connection" option on the sidebar and fill in your preferred time in the text box beside "Seconds Between Keepalives" in seconds. This should be based on entirely how long you think you'll be inactive between activity. You can also change this manually by opening your client-side setting files at /etc/ssh/ssh_config – note the difference between the server file "sshd_config". Add the setting "ServerAliveInterval" and set in seconds how often you want to the client to send packets to keep the connection active.
Risks of Changing Timeout
Obviously changing timeout is a matter of convenience – it allows you to multitask without having to frequently renew your login to your SSH server. However, this means that you need to remain more vigilant at your desktop. If you walk away from your computer with an SSH connection open, anyone can sit down and access your server. While leaving an SSH connection open for home use is less concerning than when you're doing so for you, being in the habit of leaving your connection open can have quite horrible consequences in the wrong hands.
References & Resources
- Die.net: ssh_config(5) – Linux Man Page
- The Geek Stuff: 7 Default OpenSSH Security Options You Should Change in /etc/ssh/sshd_config
- Oseems Solutions: How to Disable SSH timeout
- OpenSSH: FAQ
- Microsoft Support: How to Modify the TCP/IP Maximum Retransmission Timeout
- IBM: Change TCP/IP Attributes
- The STAR Experiment: SSH Connection Stability